Security issue notifications

If you discover a potential security issue in the AWS Encryption SDK we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public GitHub issue.

Problem:

If i want to pass additional headers with Decrypt call (e.g Confused Deputy protection). I need to provide for each account own KmsClient. Instead in SdkV2 i can call .overrideConfiguration on request (you already use it for API_NAMESPACE).

If it will be possible to add .overrideConfiguration per call encrypt/decrypt i can use the same KmsClient for all accounts.

Solution:

A description of the possible solution in terms of Encryption SDK architecture.

I see 2 options:

1. in AwsCrypto.decryptData/ecryptData provide additional argument with options
2. When construct KmsMasterKeyProvider ask for supplier for override. But there we need to send something in addition to identify context of request

Out of scope:

Is there anything the solution will intentionally NOT address?